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ABSTRACT 


Although  there  are  many  well-established  cyber  security  tools  and  techniques 
available  to  network  administrators  for  managing  and  defining  their  systems,  attackers 
still  succeed  in  penetrating  their  systems.  Defending  these  systems’  confidentiality, 
integrity,  and  availability  is  the  responsibility  of  network  administrators;  however, 
protecting  these  systems  becomes  more  difficult  when  one  considers  the  volume  and 
velocity  of  data  provided  by  many  of  these  cyber  security  tools.  Often  this  data  may 
actually  indicate  a  cyber-attack,  but  is  hard  to  discern  among  the  bulk  of  data  provided. 
The  purpose  of  this  research  is  to  propose  a  cyber  situational  awareness  (CSA)  model  to 
provide  network  administrators  with  better  situational  awareness  of  cyber  security  threats 
to  their  systems.  This  research  examines  an  established  situational  awareness  model  and 
surveys  cyber  security  practices  and  tools  to  extend  this  knowledge  to  actual  cyber 
situational  awareness.  This  research  further  develops  a  model  for  CSA  in  three 
hierarchical  levels:  configurational  awareness,  operational  awareness,  and  special 
conditions  awareness.  The  research  concludes  that  if  network  administrators  manage  their 
systems  with  awareness  of  these  three  levels,  they  would  be  able  to  decrease  the  amount 
of  unnecessary  data  and  focus  on  the  most  important  information  that  can  help  them 
better  guarantee  cyber  security  of  their  systems. 
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I. 


INTRODUCTION 


A.  OVERVIEW 

Vulnerabilities  inside  cyber  systems  are  of  primary  interest  to  cyber  attackers 
since  every  vulnerability  opens  a  new  door  for  a  threat  to  exploit.  This  is  especially  true 
for  large  military  or  governmental  organizations,  where  these  vulnerabilities  may  result  in 
serious  risks  to  critical  national  security  systems. 

Cyber  system  vulnerabilities  may  be  a  result  of  untrained  system  users,  insider 
threats,  or  weaknesses  in  the  systems  themselves.  For  example,  a  user  who  is  not  allowed 
to  use  a  flash  drive  on  an  organizational  computer,  but  nonetheless  uses  one  without 
knowing  what  is  stored  on  the  flash  drive  may  inadvertently  cause  malicious  software  to 
penetrate  the  network.  Alternately,  a  malicious  insider  may  do  essentially  the  same  thing, 
but  intentionally  and  secretly,  or  may  change  system  settings  to  create  a  security 
vulnerability  or  create  even  more  damage  not  seen  by  system  administrators.  The  systems 
themselves  are  not  always  designed  to  correspond  to  best-known  security  practices;  for 
example,  the  default  configuration  that  may  be  appropriate  and  sufficiently  secure  for  one 
system  may  on  another  system  disclose  information  without  the  knowledge  of  the  system 
administrator.  Additionally,  installation  of  new  software  or  hardware  on  the  network 
could  cause  system  vulnerabilities  due  to  incompatibility  with  system  security  policies 
implemented  by  the  system  administrator. 

When  it  comes  to  system  security  management,  threats  can  be  an  issue.  Although 
there  are  many  tools  for  identifying  threats  and  vulnerabilities,  the  data  these  tools 
provide  is  often  not  clear  enough  for  human  decision  makers  to  use  effectively.  As  these 
tools  may  produce  large  amounts  of  data,  the  network  administrator  must  decide  what 
data  reflect  a  vulnerability.  Furthermore,  some  vulnerabilities  result  from  routine  system 
data  or  installed  software  and  patches.  This  task  becomes  particularly  challenging  when 
one  considers  that  very  critical  systems,  such  as  military  or  governmental  systems,  must 
be  monitored  actively  to  prevent  threats  from  penetrating  critical  systems  or  to  make  the 
administrator  aware  of  unintentional  system  state  changes.  For  these  reasons,  maintaining 
active  awareness  of  cyber  system  configurations  and  security  posture  is  a  critical  role  for 
cyber  system  administrators. 
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However,  network  administrators’  situational  awareness  capabilities  depend  on 
their  experience,  training,  and  knowledge.  Ideally,  a  real-time  training  environment  can 
provide  administrators  with  the  necessary  knowledge  and  experience  without  affecting 
the  real  system.  For  that  purpose,  Naval  Postgraduate  School  (NPS)  student  Daniel 
McBride  designed  the  Mapping,  Awareness,  and  Virtualization  Network  Administrator 
Training  Tool  (MAVNATT)  in  his  2015  thesis.  In  this  tool,  McBride  outlined  three 
different  modules  integrated  to  create  a  virtual  environment  for  training  tactical  network 
administrators  and  monitoring  locally  deployed  systems.  The  main  idea  of  the  awareness 
module  is  to  visualize  the  network  topology  and  to  integrate  fault  detection  capabilities 
within  MAVNATT.  He  stipulated  that  the  awareness  module  must  be  able  to  develop 
network  administrators’  situational  awareness.  He  identified  existing  tools  to  generate  the 
awareness  capability;  however,  these  tools  were  not  convenient  solutions  to  implement  in 
the  virtual  training  environment  (2015).  Nonetheless,  his  thesis  showed  the  importance  of 
training  to  develop  network  administrators’  situational  awareness. 

As  previously  stated,  cyber  systems  security  and  maintenance  largely  depend  on 
well-trained  network  administrators  who  know  how  to  use  their  tools  and  understand 
what  is  happening  in  their  network  systems.  That  is  why  these  administrators  need  to  be 
trained  in  real-time  virtual  environments,  such  as  that  provided  by  MAVNATT.  Hence, 
tools,  training  methods,  and  best  practices  should  be  identified  and,  where  possible, 
incorporated  in  MAVNATT  to  provide  an  environment  capable  of  enhancing  network 
administrators’  situational  awareness. 

In  this  context,  situational  awareness  refers  to  the  extent  to  which  one  is  aware  of 
the  system’s  configuration,  operation,  and  special  conditions.  Poor  system  configurations 
may  expose  vulnerabilities.  For  this  reason,  implementing  known  best  practices  for 
system  configuration  generally  results  in  a  more  secure  system.  Yet,  the  best  system 
configurations  may  not  be  enough  to  prevent  vulnerabilities  if  an  administrator  is  not 
actively  aware  of  the  system’s  operation.  Administrators  must  monitor  the  devices  in 
their  systems  to  be  sure  they  are  all  working  as  expected.  Nonetheless,  even  though 
everything  seems  normal,  sometimes  special  conditions  may  occur  in  the  system  state 
that  may  be  difficult  for  the  administrator  to  detect  or  interpret.  Maybe  an  attack  on  the 
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system,  either  by  external  or  insider  operatives,  is  trying  to  change  something  to  make  the 
system  vulnerable  to  more  extensive  exploits.  Moreover,  as  the  technology  develops, 
many  other  vulnerabilities  may  become  evident  in  the  system.  Therefore,  the 
administrator’s  capability  to  understand,  evaluate,  and  mitigate  vulnerabilities  is 
important  and  needs  to  be  developed,  assessed,  and  exercised. 

B.  PROBLEM  STATEMENT 

Although  many  tools  exist  to  assess  vulnerabilities  and  monitor  cyber  threat 
activities  within  tactical  networks,  network  administrators  lack  the  ability  to  continuously 
maintain  cyber  situational  awareness  over  these  networks,  particularly  in  the  context  of 
fielded,  operational,  and  time-critical  systems. 

C.  PURPOSE  STATEMENT 

The  purpose  of  this  research  is  to  understand  cyber  situational  awareness  (CSA) 
with  regard  to  the  perspective  of  network  administrators  and  provide  a  model  for 
enhancing  the  training  methods  and  contexts  for  network  administrators  with  respect  to 
actively  maintaining  situational  awareness  over  their  systems,  particularly  against  cyber 
threats  and  vulnerabilities.  This  research  evaluates  existing  tools  and  best  practices 
pertinent  to  establishing  and  maintaining  an  awareness  of  network  status  and  operations 
and,  based  on  that  evaluation,  recommends  cyber  security  methods  by  which  network 
administrators  can  increase  their  awareness  of  network  status  indicators. 

D.  RESEARCH  QUESTIONS 

This  research’s  goal  is  to  better  understand  cyber  situational  awareness.  Therefore, 
these  questions  will  be  the  main  focus  of  this  thesis. 

1.  What  is  cyber  situational  awareness? 

•  What  tools  are  being  used  for  cyber  situational  awareness? 

•  What  are  the  best  practices  for  secure  systems? 

•  How  might  cyber  situational  awareness  by  modeled  so  as  to  guide 
system  administrator  training  and  evaluation? 
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2.  How  can  the  effectiveness  of  the  network  administrator’s  situational 
awareness  be  increased? 

•  What  tools  are  needed  to  enhance  the  administrator’s  awareness? 

•  What  inhibits  the  network  administrator’s  awareness? 

E.  RESEARCH  METHODS 

This  research  examines  previously  published  literature,  including  cyber  security 
and  awareness  reports,  surveys,  government  and  enterprise  publications,  and  other 
research  papers  to  discover  appropriate  best  practices,  training  methods,  and  tools  used 
for  maintaining  situational  awareness  of  network  administrators  in  the  context  of  cyber 
systems.  Best  practices  may  include  network  training  methods,  configuration  settings,  or 
cyber  security  tools. 

Initially,  the  research  addresses  the  concept  of  situational  awareness  in  large 
enterprise  networks.  The  aim  is  to  survey  the  types  of  threats  and  exploitations  observed 
by  administrators  of  such  networks  to  better  clarify  what  it  means  for  an  administrator  to 
be  “aware”  of  his  network.  To  this  end,  we  survey  existing  situational  awareness  tools 
and  best  practices  in  the  cyber  security  domain  to  examine  how  they  may  support 
administrator  awareness  of  the  network. 

Finally,  the  research  identifies  tools  and  techniques  that  can  be  used  to  develop 
the  effectiveness  of  network  administrators  with  respect  to  finding  vulnerabilities  and 
threats  in  tactical  networks  and  make  recommendations  as  to  how  such  tools  may  be 
adopted  or  adapted  for  use  by  MAVNATT. 

F.  POTENTIAL  BENEFITS,  LIMITATIONS,  AND  RECOMMENDATIONS 

This  thesis  is  intended  to  help  network  administrators  gain  a  better  understanding 
of  the  means  and  methodology  of  establishing  situational  awareness  for  enhancing 
system  security;  it  will  lead  to  new  and  better  training  methods  for  network 
administrators.  With  respect  to  virtual  network  training  environments,  the  thesis 
recommends  a  new  model  for  cyber  situational  awareness  that  is  appropriate  for  use  in 
MAVNATT,  as  an  example  of  this  class  of  training  tool. 
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II.  LITERATURE  REVIEW 


A.  OVERVIEW 

Network  administrators  face  numerous  challenges  in  protecting  their  systems, 
using  tools  such  as  intrusion  detection  systems,  anti-virus  applications,  or  other  security 
sensors  to  defend  against  adversaries  and  to  mitigate  risks.  Cyber  situational  awareness  is 
not  only  related  to  the  effectiveness  of  these  tools  in  protecting  these  systems,  it  is  also 
critical  to  decision  makers’  ability  to  understand  network  contexts  and  make  good  tactical 
decisions  (Barford  et  al.,  2010).  Many  network  attacks  can  be  prevented  by  the 
configuration  of  firewalls  or  null-routing,  but  these  tactics  are  not  sufficient  against 
distributed  denial  of  service  (DDOS)  attacks  (Gray,  Ritsos,  &  Roberts,  2015)  or  insider 
threats.  By  virtue  of  being  inside  the  secure  perimeter,  in  possession  of  valid  credentials, 
and  having  knowledge  of  the  system  configurations,  insider  threats  are  inherently  more 
difficult  to  identify  than  outsider  threats  (Brancik  &  Ghinita,  2010).  Also,  existing  system 
vulnerabilities  that  were  created  by  programmers  during  software  or  system  design,  either 
intentionally  or  not,  are  a  significant  industry  problem,  as  they  create  potential  backdoors 
for  external  attackers.  Moreover,  most  of  these  security  problems  are  not  found  until  after 
a  penetration  test  or,  unfortunately,  after  an  attack  on  the  system  (Olama  &  Nutaro, 
2013). 

Above  all,  there  often  exist  disconnects  between  tools  and  human  decision  makers 
(Barford  et  al.,  2010).  That  is  to  say,  tools  can  track  systems  and  provide  logs  to  network 
administrators,  but  humans  still  need  to  decide  on  the  meaning  of  the  data  that  those  tools 
present  (Barford  et  al.,  2010).  As  new  information  becomes  available,  administrators 
must  update  their  systems,  and  their  knowledge,  to  mitigate  their  own  vulnerabilities 
(Tadda  &  Salerno,  2010). 

Although  there  are  many  tools  for  identifying  threats  and  vulnerabilities,  the  data 
they  provide  is  often  not  clear  enough  for  human  decision  makers  to  use  effectively. 
These  tools  may  provide  large  amounts  of  data,  but  the  network  administrator  must 
decide  which  of  the  data  is  meaningful,  and  whether  a  vulnerability  or  threat  exists. 
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Network  administrators’  situational  awareness  over  the  network  depends  on  their  ability 
to  make  these  analyses,  given  their  experience,  training,  knowledge,  and  the  tools  that 
they  use. 

The  proficiency  of  network  administrators  is  dependent  on  realistic  experiences. 
Such  experience  can  be  gained  in  a  controlled  environment,  such  as  a  training  lab,  or  in 
response  to  events  occurring  on  the  networks  for  which  they  are  responsible.  Hence,  the 
most  effective  tools,  training  methods,  and  best  practices  should  be  identified  and,  where 
possible,  incorporated  in  an  environment  capable  of  enhancing  network  administrators’ 
situational  awareness. 

Limited  awareness  can  have  a  negative  impact  on  an  administrator’s  ability  to 
precisely  see  multiple  threats  or  adverse  activities  in  parallel.  A  failure  in  situational 
awareness  may  occur  when  the  measure  of  information  accessible  far  surpasses  an 
administrator’s  capacity  to  process  it  (Endsley  &  Connors,  2014). 

The  administrator’s  ability  to  maintain  awareness  of  the  state  of  the  system  is 
critical  to  the  security  of  the  system.  Thus,  an  understanding  of  what  is  meant  by 
situational  awareness  in  the  context  of  network  administration  is  essential  to  providing  a 
construct  for  developing  and  maturing  it. 

B.  CYBER  SITUATIONAL  AWARENESS 

Incorporating  new  computer  and  networking  technologies  into  an  existing 
enterprise  means  that  an  organization  must  be  aware  of  the  potential  for  unexpected 
effects  to  the  current  systems,  and  thus  be  prepared  to  respond  to  such  effects  by 
accumulating  a  high  level  of  situational  awareness  (SA)  before  and  after  incorporating 
these  changes  into  the  operational  network.  With  increasing  cyber  threats,  any  system 
vulnerability  may  be  potentially  exploited,  which  can  result  in  system  failures  or 
information  loss.  Therefore,  building  and  maintaining  SA  at  every  level  of  the 
organization  is  crucial.  In  particular,  administrators  of  these  systems  need  to  be  more 
situationally  aware  than  other  users,  due  to  their  responsibility  to  securely  protect  and 
maintain  network  infrastructure  and  systems. 
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An  essential  first  step  is  to  define  clearly  what  is  meant  by  cyber  situational 
awareness  (CSA).  This  step  starts  with  a  review  of  the  basic  definition  of  situational 
awareness.  According  to  Mica  R.  Endsley’s  (1988)  definition,  “Situational  Awareness  is 
the  perception  of  the  elements  in  the  environment  within  a  volume  of  time  and  space,  the 
comprehension  of  their  meaning,  and  the  projection  of  their  status  in  the  near  future.”  As 
one  makes  sense  of  this  definition,  SA  is  related  to  the  decision-making  process,  and  thus 
to  decision  makers.  Moreover,  each  individual’s  capability  to  develop  SA  varies,  as  each 
interprets  the  same  data  in  a  different  way  due  to  his  natural  capacity  to  understand  the 
data,  as  well  as  his  education  and  experience  (Endsley,  1995,  p.  35).  Hence,  one  can 
expect  different  individuals  to  arrive  at  different  decisions  given  the  same  situation  and 
input.  Additionally,  the  presentation  of  the  data  will  also  doubtlessly  affect  SA  (Endsley, 
1995,  p.  50).  While  SA  tools  provide  data  output  to  help  decision  makers,  these  tools  do 
not  ensure  that  different  decision  makers  will  arrive  at  the  same  conclusion.  According  to 
Endsley  (1995),  “all  system  designs  are  not  equal  in  their  ability  to  convey  needed 
information  or  in  the  degree  to  which  they  are  compatible  with  basic  human  information¬ 
processing  abilities.  Other  features  of  the  task  environment,  including  workload,  stress, 
and  complexity,  may  also  affect  SA”  (p.  35).  Thus,  many  factors  can  affect  the  human 
decision-making  process  and  the  associated  situational  awareness,  which  has  led  many 
researchers  to  find  novel  approaches  to  help  decision  makers  remain  independent  of  these 
human  factors. 

This  research  uses  Endsley’s  definitions  (1988)  as  well  as  his  model  (1995)  to 
reach  a  clearer  understanding  of  CSA.  Endsley  (1995)  identified  three  levels  of  SA:  Level 
1  SA:  Perception  of  the  Elements  in  the  Environment;  Level  2  SA:  Comprehension  of  the 
Current  Situation;  and  Level  3  SA:  Projection  of  Future  Status  (Endsley,  1995,  pp.  36- 
37).  Endsley’s  model  depicting  the  relationships  of  the  different  levels  is  shown  in  Figure 
1 .  From  this  model,  we  propose  corresponding  levels  of  CSA. 
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Figure  1.  Model  of  Situational  Awareness  in  Dynamic  Decision  Making. 

Source:  Endsley  (1995). 


1.  Level  1  SA:  Perception  of  the  Elements  in  the  Environment 

According  to  Endsley  (1995),  “the  first  step  in  achieving  SA  is  to  perceive  the 
status,  attributes,  and  dynamics  of  relevant  elements  in  the  environment”  (p.  36).  In  the 
cyber  realm,  the  core  concept  of  this  SA  level  lies  in  network  administrators 
understanding  the  basic  objectives  and  elements  of  the  cyber  security  domain  to  help 
them  overcome  false  understanding  of  their  systems’  security  against  cyber- attacks 
(“Cyber  Security  Elements,”  n.d.).  The  information  system  security  objectives  of 
confidentiality,  integrity,  and  availability  (often  termed  the  “CIA  triad”)  (Ross  & 
Swanson,  2004)  help  to  identify  conditions  necessary  to  ensure  data  security;  these 
objectives  require  that  organizations  and  individuals  be  alert  in  monitoring 
confidentiality,  integrity,  and  availability  of  their  data  (Henderson,  2015). 
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SA  over  physical  systems  is  developed  with  respect  to  the  particular  techniques 
and  hardware  sensors  for  these  systems  (Barford  et  al.,  2010).  Endsley  gives  the  analogy 
of  an  aircraft  pilot  and  automobile  driver  for  explaining  level  1  SA.  According  to  these 
examples,  a  pilot  perceives  mountains  with  the  help  of  aircraft  warning  lights,  while  an 
automobile  driver  can  perceive  the  location  of  other  vehicles  and  his  car’s  current  status 
using  the  automobile’s  sensor  systems  (Endsley,  1995).  These  physical  SA  systems  have 
slower  developing  speed  than  cyber  systems  (Barford  et  al.,  2010).  According  to  Paul 
Barford  et  al.,  “Cyber  SA  systems  rely  on  cyber  sensors  such  as  IDS’,  log  file  sensors, 
anti-virus  systems,  malware  detectors,  and  firewalls;  they  all  produce  events  at  a  higher 
level  of  abstraction  than  raw  network  packets”  (2010).  These  CSA  sensors  provide  the 
necessary  information  to  the  administrator,  much  like  the  aircraft  or  automobile  warning 
lights  in  Endsley’ s  analogies,  allowing  the  administrator  to  develop  an  accurate 
perception  of  the  cyber  environment. 

In  light  of  the  CIA  triad,  when  devising  a  network  security  policy,  one  must  be 
aware  of  the  risks  posed  by  system  vulnerabilities  and  related  threats  to  the  system,  as 
well  as  possible  security  countermeasures  to  mitigate  these  risks  (Paquet,  2013). 
Perception  level  of  awareness  covers  the  cyber  sensor’s  data.  Sensor  data  warns  the 
administrator  about  the  threats  and  threat  indications.  These  threats  may  vary  from 
malware  to  insiders,  or  social  engineering  to  denial  of  service  (DoS)  attacks.  According 
to  a  Symantec  report,  over  430  million  new  unique  malicious  programs  were  discovered 
in  2015,  and  zero-day  vulnerabilities  doubled  to  54  over  the  previous  year  (Symantec, 
2016).  This  finding  reveals  that  cyber  security  threats  are  increasing  significantly.  Of 
course,  knowing  about  the  threats  is  not  enough;  an  administrator  must  understand  the 
countermeasures  that  can  be  employed  against  them.  For  example,  developing  a  strict 
patch  implementation  policy  may  be  a  good  countermeasure  for  software  security  risks, 
while  a  reliable  antivirus  detection  application  and  update  policy  may  provide  protection 
against  known  malware. 

Considering  the  significantly  growing  numbers  of  cyber  threats  and  technological 
developments  in  computer  systems,  network  administrators  must  strive  to  achieve  level  1 
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cyber  SA.  They  must  develop  their  level  1  SA  in  order  to  continuously  monitor  and 
understand  the  threat  signal  data. 

2.  Level  2  SA:  Comprehension  of  the  Current  Situation 

According  to  Endsley  (1995),  “Comprehension  of  the  situation  is  based  on  a 
synthesis  of  disjointed  Level  1  elements.”  Level  2  SA  is  about  understanding  the  ongoing 
situation  and  its  components  by  using  the  knowledge  of  level  1  SA;  moreover, 
interpreting  and  deciding  on  it,  based  on  the  decision  maker’s  experience  and  goals  (p. 
37).  Endsley  illustrates  this  level  from  the  perspective  of  an  aircraft  fighter  pilot:  “a 
military  pilot  ...  must  comprehend  that  the  appearance  of  three  enemy  aircraft  within  a 
certain  proximity  of  one  another  and  in  a  certain  geographical  location  indicates  certain 
things  about  their  objectives”  (1995).  The  network  administrator  can  identify  the  current 
situation  by  assessing  the  data  derived  from  tools,  logs,  and  sensors  to  monitor  the  state 
of  the  systems  of  interest.  However,  extracting  the  correct  data  and  identifying  the  threats 
still  may  depend  on  one’s  experience  and  system  knowledge  since  the  tools  may  not 
recognize  new  motifs,  as  previous  data  or  practices  may  not  relate  to  the  current  situation 
(Tadda  &  Salerno,  2010,  p.  23).  This  level  is  not  only  focused  on  identifying  the  threats, 
but  also  on  determining  configuration  changes,  system  state  changes,  or  any  other 
changes  according  to  the  administrator’s  goals. 

Properly  defined  goals  will  help  the  network  administrator  better  understand 
information  being  received,  and  thus  more  effectively  develop  an  understanding  of  the 
emerging  situation  (Endsley  &  Connors,  2014).  In  this  way,  the  administrators  develop 
an  entire  picture  of  the  system,  which  can  aid  them  in  recognizing  the  events  pertinent  to 
the  system  quickly  and  accurately  (Endsley,  1995,  p.  37).  To  illustrate,  an  unauthorized 
flash  drive  insertion  alarm  from  a  user’s  computer  does  not  necessarily  indicate  an 
attempt  to  insert  malware  into  the  system  intentionally;  it  may  simply  indicate  an 
uninformed  user  regarding  the  hazards  of  using  a  portable  flash  drive  on  his  or  her 
computer.  In  another  example,  friendly-looking  emails  from  an  unknown,  untrusted 
source  may  represent  an  attempted  social  engineering  attack  to  the  system.  Above  all,  the 
decision  maker  is  the  person  who  will  interpret  indications  and  data  based  on  his  goals. 
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3.  Level  3  SA:  Projection  of  Future  Status 

Endsley  (1995)  describes  the  final  SA  level  as  “the  ability  to  project  the  future 
actions  of  the  elements  ...  achieved  through  knowledge  of  the  status  and  dynamics  of  the 
elements  and  comprehension  of  the  situation”  (p.  37).  This  level  of  Endsley’ s  SA  model, 
before  the  decision  maker  propagates  the  decision,  is  focused  on  predicting  and 
determining  the  future  results  of  the  present  case  to  the  running  system  (Endsley  & 
Connors,  2014).  Making  decisions  on  possible  future  results  also  requires  consideration 
of  past  experiences,  and  present  outcomes  of  these  experiences  (Tadda  &  Salerno,  2010). 

Decision  makers  must  choose  the  best  decision  that  complies  with  their  purposes 
in  this  SA  level  (Endsley,  1995).  Endsley  gives  another  real-world  example  to 
demonstrate  this:  “an  air  traffic  controller  needs  to  put  together  information  on  various 
traffic  patterns  to  determine  which  runaways  will  be  free,  and  where  there  is  a  potential 
for  collisions”  (p.  37).  The  predictions  made  at  this  level  are  crucial  for  CSA  because  the 
correct  evaluation  of  network  events  may  prevent  future  cyber-attacks.  For  example,  an 
attack  may  be  a  deception  in  support  of  another  attack  that  may  bring  less  indication  or 
warning  but  carry  more  effect  to  the  system;  or  the  residuals  of  this  attack  may  damage 
the  running  system  over  an  extended  period  of  time.  A  clear  prediction  of  potential  future 
impacts  may  lead  the  administrator  to  clean  residuals  from  the  operating  system  or 
identify  new  avenues  of  attack.  Therefore,  the  decision  makers  responsible  for  critical 
and  complex  systems  must  have  a  clear  sense  of  their  system  objectives  rather  than 
simply  observe  the  state  of  the  current  situation  without  an  understanding  of  the  impact  of 
such  states  (Endsley,  1995). 

C.  MAVNATT 

MAVNATT  was  designed  to  fill  gaps  in  network  administrator  training  for 
support  to  United  States  Marine  Corps  tactical  networks  (McBride,  2015).  The  goal  of 
the  system  was  to  provide  a  lightweight  tool  to  train  network  administrators  by 
replicating  a  tactical  network  with  a  virtual  network  environment.  This  virtualized 
environment  is  intended  to  replicate  the  real  network  to  allow  administrator  training  in 
system  implementation,  maintenance,  and  security,  since  training  on  the  real  network 
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may  cause  unexpected  or  detrimental  results  to  that  network.  If  something  unacceptable 
happens  in  the  virtualized  environment,  it  will  not  impact  the  mission  and  does  not 
damage  the  original  network.  Moreover,  this  kind  of  training  may  increase  the  practical 
experience  level  of  the  supported  network  administrators. 

As  mentioned  in  Chapter  I,  McBride  (2015)  defined  three  essential  modules 
comprising  the  MAVNATT  framework  and  architecture  (see  Figure  2):  mapping, 
awareness,  and  virtualization.  The  framework’s  goal  was  to  integrate  these  three  modules 
(McBride,  2015)  to  allow  replication  of  a  real  operational  network  in  a  virtual  network 
environment. 

The  MAVNATT  framework  includes  a  graphical  user  interface  (GUI)  to  provide 
situation  awareness  for  the  administrator.  This  interface  provides  novice  administrators 
with  better  SA  over  a  real  network  and  virtualized  network,  as  well  as  providing  for 
training  schema  and  monitoring  of  network  issues  (McBride,  2015). 


Language 


Figure  2.  MAVNATT  Conceptual  Model.  Source:  McBride  (2015). 
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The  MAVNATT  GUI  must  be  suitable  for  showing  the  real  and  the  virtualized 
network  topologies  and  easy  to  leam  for  users  (McBride,  2015).  In  the  MAVNATT 
technology  demonstration,  the  simplicity  of  a  GUI  was  able  to  increase  the  situational 
awareness  of  network  administrators,  especially  for  novice  users  compared  to 
experienced  users;  novice  users  need  more  training  due  to  their  lower  level  of  expertise. 

As  currently  defined,  the  MAVNATT  awareness  module  mostly  emphasizes 
device  status  within  the  networks.  If  a  system  error  happens  in  a  real  system,  the  network 
administrator  must  be  able  to  see  the  same  error  in  the  virtual  training  network.  This  may 
help  the  network  administrator  work  on  real  network  system  flaws  (McBride,  2015).  So, 
this  benefits  the  system  security  posture  by  developing  network  administrator  skills 
against  unexpected  situations  without  harming  the  mission  system.  Also,  MAVNATT  can 
allow  administrators  to  resolve  faults  using  the  virtualized  systems  or  to  verify  the  impact 
of  configuration  setting  changes,  and  then  apply  the  solution  to  the  respective  real 
network  systems  after  they  have  been  fully  tested  in  a  virtualized  environment. 

D.  SUMMARY 

This  chapter  describes  cyber  situational  awareness  and  its  importance  to  decision¬ 
makers  and  administrators  responsible  for  critical  cyber  systems.  It  further  described  the 
purpose  of  MAVNATT  and  its  awareness  module  in  the  context  of  CSA.  By  having  an 
understanding  of  how  CSA  is  established  and  maintained,  developing  a  methodology  for 
systems  like  MAVNATT  can  be  possible. 
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III.  SURVEY  OF  NETWORK  AWARENESS  TOOLS  AND 

TECHNIQUES 


As  mentioned  in  the  previous  chapter,  cyber  situational  awareness  is  a  challenging 
and  complex  task  for  human  beings.  The  cyber  domain  encompasses  many  components 
and  its  events  occur  very  rapidly,  making  it  difficult  for  the  human  mind  to  comprehend; 
further,  events  in  cyber  space  may  happen  in  rapid  succession.  Thus,  if  an  administrator 
does  not  have  the  proper  tools  and  techniques  to  help  protect  the  cyber  system  for  which 
he  or  she  is  responsible  for  maintaining  and  protecting,  then  successfully  accomplishing 
these  tasks  is  difficult.  Furthermore,  a  lack  of  appropriate  security  measures  leaves  the 
operating  system  virtually  defenseless  against  threats.  For  these  reasons,  many  cyber 
security  professionals  maintain  a  set  of  security  tools,  technologies,  sources,  reports, 
techniques,  and  best  practices  to  aid  them  in  securing  their  cyber  systems  and 
environment  (Albanese  &  Jajodia,  2014). 

According  to  Massimiliano  Albanese  and  Sushil  Jajodia,  a  powerful  cyber 
defense  framework  requires  these  important  functions: 

•  Learning  from  attacks 

•  Prioritization 

•  Metrics 

•  Continuous  diagnostic  and  mitigation 

•  Automation  (2014) 

Therefore,  in  this  thesis,  we  consider  that  people  are  the  ultimate  decision  makers 
of  automated  cyber  systems,  since  they  control  checking,  verifying,  and  reviewing  the 
results  of  automated  tools  (Albanese  &  Jajodia,  2014).  Rather  than  focus  on  protocols 
related  to  network  management  in  this  chapter,  we  explore  some  of  the  critical  security 
solutions  related  to  network  administrator  techniques  and  tools  to  provide  a  clearer  view 
ofCSA. 
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A.  NETWORK  SECURITY  AND  AWARENESS  TECHNIQUES 

Creating  a  network  requires  the  physical  and  logical  connection  of  devices. 
However,  without  the  correct  configuration  of  devices,  physical  connections  are  not 
enough  to  build  a  functioning  network,  let  alone  a  well-designed  and  secure  network.  In 
fact,  there  is  no  perfect  cyber  system  such  that  its  devices  work  well  together  forever  after 
initially  configuring  them.  As  the  network’s  subsystems,  computers,  technologies,  and 
software  evolve  and  change,  the  devices  may  give  errors  or  their  current  state  may 
change  unexpectedly  due  to  device  failure  or  external  action.  In  addition  to  changes  in 
device  status,  attackers  may  exploit  vulnerabilities  in  misconfigured  devices  to 
compromise  them  until  the  entire  network  is  eventually  compromised.  Moreover,  if  the 
network  operator  does  not  understand  what  is  occurring  within  a  system,  or 
underestimates  state  changes,  the  results  to  the  network  as  a  whole  may  become 
catastrophic.  Further,  as  the  network  grows,  managing  it  becomes  an  increasingly 
challenging  task  (McCloghrie  &  Sanchez,  2001).  Therefore,  the  network’s  configuration 
is  a  critical  process  which  one  must  always  bear  in  mind. 

Management  of  system  configurations  is  an  information  technology  (IT)  area 
referred  to  as  network  configuration  management.  It  is  a  broad  part  of  network 
management  (“Network  Configuration  Management,”  n.d.)  and  according  to 
Techopedia.com  it  is  defined  as 

a  broad  term  for  the  organization  and  management  of  a  computer  network. 

All  sorts  of  networks,  including  local  area  networks,  wireless  networks 
and  virtual  networks  all  need  elements  of  maintenance,  modification, 
repair  and  general  monitoring.  Network  configuration  management 
involves  collecting  different  information  about  hardware  devices,  software 
programs  and  other  elements  of  the  network  in  order  to  support 
administration  and  troubleshooting.  (2016) 

This  research  argues  that  configuration  management  can  be  the  first  phase  of 
CSA.  As  discussed  in  the  previous  chapter,  the  first  level  of  SA  is  “Perception  of 
Elements  in  Current  Situation”  (Endsley,  1995).  In  a  cyber  network,  accurately  managing 
the  configuration  of  the  network  requires  putting  together  all  the  pieces  of  the  system  to 
get  instantaneous  information  on  the  running  devices  and  their  current  status. 
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This  section  covers  network  security  practices  for  configurations  and  awareness 
of  Department  of  Defense  (DOD)  systems.  In  the  realm  of  configuration,  there  are 
numerous  guidelines  for  configuring  systems  for  computer  security  best  practices,  such  as 
Defense  Information  Agency  (DISA)’s  Security  Technical  Implementation  Guides,  U.  S. 
Government  Configuration  Baseline,  and  Center  for  Internet  Security  Standards  (Byrne, 
2015).  This  thesis  discusses  only  STIGs,  since  DOD  is  following  this  guidance  for  their 
cyber  systems  security.  Router  access  configuration  lists  are  covered  as  well. 

1.  Access  Control  Lists 

Access  controls  lists  (ACL)  are  sets  of  router-based  network  traffic  filtering  rules 
that  provide  additional  security  to  networks.  ACLs  allow  a  router  powerful  control  over 
network  packets.  The  router  checks  inbound  and  outbound  traffic  packet  headers 
according  to  the  ACLs;  if  there  was  an  ACL  rule  defined  for  a  specific  packet,  the  router 
decides  to  permit  or  deny  the  actual  packet  with  regard  to  this  rule. 

One  can  create  ACLs  directly  on  the  router  via  the  command  line.  For  a  specific 
ACL,  there  will  often  be  more  than  one  rule  assigned  to  that  ACL  name.  On  some 
routers,  after  assigning  rules  to  an  ACL,  it  is  not  possible  to  delete  individual  rules 
without  deleting  the  ACL  (“Cisco  IOS  Security  Configuration  Guide,”  n.d.).  After 
creating  the  ACL,  one  can  apply  it  to  the  router  interfaces  based  on  the  interface’s 
connected  network;  otherwise,  the  ACL  does  not  run  and  merely  stays  in  the  router’s 
memory. 

The  order  of  rules  in  an  ACL  is  crucial,  as  the  router  checks  the  statements  line  by 
line  against  an  incoming  packet  until  a  corresponding  rule  is  matched.  When  the  router 
matches  a  rule  with  the  packet,  it  decides  to  permit  or  deny  the  packet  based  on  the  rule, 
and  then  does  not  check  any  remaining  rules  (“Cisco  IOS  Security  Configuration  Guide,” 
n.d.).  For  instance,  if  one  of  the  interfaces  of  the  router  connects  the  organization’s  web 
server  to  the  network,  this  interface’s  ACLs  can  have  rules  to  permit  forwarding  of 
incoming  traffic  (e.g.,  allowing  incoming  connections  to  port  80)  and  deny  all  other 
inbound  packets  to  that  server.  This  idea  is  demonstrated  by  the  following  example: 
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access-list  sampleRule  permit  tcp  20.3.  9.0  0.0.  0.255  any  eq  80 
access-list  sampleRule  deny  ip  any  any 

Ordering  of  rules  is  also  critical  with  regard  to  rule  types.  For  example,  if  a 
network  administrator  defined  permit  rules  after  the  deny  rules,  no  traffic  could  access  a 
web  server.  Although  this  is  a  very  simple  example  of  misconfiguration,  and  one  that  can 
easily  be  detected  and  fixed,  there  might  be  more  complex  ACLs  where  errors  in 
configuration  could  cause  serious  network  traffic  degradation  or  failure.  Detection  of 
such  errors  may  take  significant  time.  Due  to  human  error  in  ACL  configurations,  the 
system  state  can  become  invalid;  moreover,  these  systems  may  become  vulnerable  to 
cyber-attacks.  According  to  Nancy  Navato  (2001),  these  errors  are  “failure  to  create  and 
add  access  list  entries  in  the  correct  sequence,”  “failure  to  apply  the  access  list  to  an 
interface  in  the  correct  direction,”  and  “failure  to  apply  the  access  list  to  an  interface.” 
Hence,  network  administrators  should  be  careful  when  creating  ACLs.  After  creating 
ACL  lists,  network  administrators  must  also  on  occasion  review  them  to  ensure  the  ACL 
lists  are  still  current  (Navato,  2001). 

2.  Security  Technical  Implementation  Guides 

Security  Technical  Implementation  Guides  (STIG)  are  configuration  documents 
that  explain  how  to  configure  various  computing  and  network  devices  to  mitigate  security 
risks  (Byrne,  2015).  According  to  the  DISA  webpage,  “STIGs  contain  technical  guidance 
to  ‘lock  down’  information  systems/software  that  might  otherwise  be  vulnerable  to  a 
malicious  computer  attack”  (“STIGs  Home,”  n.d.).  DISA  has  defined  more  than  400 
STIGs  for  different  types  and  versions  of  software  and  systems.  The  DISA  STIGs 
website  allows  the  public  to  download  STIG  zip  files,  where  one  zip  file  may  contain  pdf 
archives  and  a  STIG  folder,  or  it  may  contain  only  a  STIG  file.  These  pdf  archives  can 
give  unclassified  information  about  the  overview  of  the  downloaded  STIG,  its  revision 
history,  and  Security  Requirements  Guides  about  the  technology  related  to  the  STIG. 
Every  STIG  is  categorized  according  to  the  DISA  guidelines  shown  in  Table  1. 
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Table  1.  Vulnerability  Severity  Category  Code  Definitions. 

Source:  “STIGs  Home”  (n.d.). 


DISA  Category  Code  Guidelines 

CAT  I 

Any  vulnerability,  the  exploitation  of  which  will  directly  and 
immediately  result  in  loss  of  Confidentiality,  Availability,  or  Integrity. 

CAT  II 

Any  vulnerability,  the  exploitation  of  which  has  a  potential  result  in  loss 
of  Confidentiality,  Availability,  or  Integrity. 

CAT  III 

Any  vulnerability,  the  exploitation  of  which  degrades  measures  to 
protect  against  loss  of  Confidentiality,  Availability,  or  Integrity. 

Additionally,  most  STIGs  are  in  Extensible  Markup  Language  (XML)  format,  for 
which  DISA  has  a  useful  STIG  Viewer  java  tool  that  allows  viewing  of  STIG  files  more 
easily.  This  tool  has  the  ability  to  show  more  than  one  STIG,  as  well  as  to  filter  responses 
according  to  severity  categories  or  keywords.  An  example  of  this  is  shown  in  Ligure  3, 
where  this  research  imported  Apple  iOS  10,  Microsoft  Word  2013,  Application  Layer 
Gateway,  and  Apache  Server  2.2  technical  guides  to  the  DISA  STIG  Viewer. 


FTOKA  STIG  Viewer :  2A1 


File  Export  Checklist  Options  Help 


STIG  Explorer 
*  STIGs 

CK  Name  ♦ 

intrusion  Detection  and  Prev- 

✓  Apple  iOS  10  Security  Techm... 
Microsoft  Word  2013  STIG 
Application  Layer  Gateway  (-. 
APACHE  SITE  22  for  Windows 


Profile-  No  Profile 
*  Filter  Options 

gjCATI  ✓  CATU  ✓  CAT  III 
Add 

•  Inclusive  Filter  Exclusive  Filter 


Remove  Filter  Remove  All  F_ 


Rule  Name 
PP-MDF-201003 

PP-MDF-201002 
PP-M  OF -201005 
PP-MDF-201004 
PP-MDF-201018 
PP-MDF-201018 
PP-MDF-201018 
PP-MDF-201018 
PP-MDF-201018 
PP-MDF -201021 
PP-MDF-991000 
PP-MDF-201008 
PP-MDF-201008 
PP-MDF-201026 
PP-MDF-201026 
PP-MDF-201022 
PP-MDF-991000 
PP-MDF-991000 
PP-MDF-201018 
PP-MDF-991000 
PP-MDF-201018 
PP-MDF-991000 
PP-MDF-991000 
PP-MDF-991000 
PP-MDF-991000 
PP-MDF-991000 


v  General  Information 

Apple  iOS  10  Security  Technical  Implementation  Guide  ::  Release:  1 
Benchmark  Date:  19  Oct  2016 

Rule  Title:  Apple  iOS  must  lock  the  display  after  15  minutes  (or  less)  of  inactivity. 
STIG  ID:  AIOS-01-080002  „  , 


The  screen  lock  timeout  must  be  set  to  a  value  that  helps  protect  the  device  from 
unauthonzed  access.  Having  a  too-long  timeout  would  increase  the  window  of  opportunity 
for  adversaries  who  gain  physical  access  to  the  mobile  device  through  loss,  theft  etc  Such 
devices  are  much  more  likely  to  be  in  an  unlocked  state  when  acquired  by  an  adversary, 
thus  granting  immediate  access  to  the  data  on  the  mobile  device.  The  maximum  timeout 

*  Check  Content 

Review  configuration  settings  to  confirm  the  screen  lock  timeout  is  set  to  15  minutes  or  less. 

This  check  procedure  is  performed  on  both  the  Apple  iOS  management  tool  and  the  Apple 
iOS  device. 


Install  a  configuration  profile  to  lock  the  device  display  after  15  minutes  (or  less)  of  inactivity. 
This  is  done  by  setting  "Maximum  Auto-Lock  time"  and  "Grace  Period  for  device  lock"  so  the 
sum  of  their  values  is  between  1  and  15  minutes. 


*  ca 

CCI:  CCI-000057 

The  information  system  initiates  a  session  lock  after  the  organization-defined  time  period  of 
inactivity. 

NIST  SP  800-53  ::  AC-11  a 
NIST  SP  800-53A  =  AC-11.1  (ii) 


Ligure  3.  DISA  STIG  Viewer 
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Although  STIGs  are  prepared  to  secure  DOD  infrastructure,  anyone  can  freely 
access  and  implement  these  policies  for  the  own  organization.  However,  before  changing 
any  software  configuration,  one  should  take  into  consideration  that  the  updated  security 
settings  of  one  application  may  affect  other  applications’  security  settings  or  state. 
Therefore,  network  administrators  are  responsible  for  adapting  the  STIG  guides  to  their 
systems  by  considering  the  effects  of  the  policies.  Such  adaptation  requires  significant 
understanding  of  the  system  for  which  the  administrator  is  responsible,  an  understanding 
only  developed  through  significant  practice  and  operational  experience. 

3.  System  Logs 

According  to  Karen  Kent  and  Murugiah  P.  Souppaya  (2006),  a  log  is  “a  record  of 
the  events  occurring  within  an  organization’s  system  and  networks”  (p.  2-1).  Logs  may 
pertain  to  hardware  devices,  software,  services,  databases,  or  operating  systems.  Logging 
mechanisms  can  serve  as  a  feedback  mechanism  to  generate  positive  information  about 
the  state  of  the  system;  they  can  also  serve  as  an  alert  system  to  inform  the  network 
operators  regarding  a  critical  situation.  Oftentimes,  being  notified  of  and  analyzing  the 
errors  on  a  system,  or  getting  real-time  information  about  running  software,  may  not  be 
possible  without  continuous  logging  mechanisms  in  place  on  that  system. 

Furthermore,  the  requirements  of  network  management  make  logging  inevitable. 
Routine  log  surveys  and  examination  are  essential  for  recognizing  network  problems, 
security  incidents,  policy  abuses,  and  criminal  activity  after  they  have  happened  (Kent  & 
Souppaya,  2006).  Different  systems  may  use  different  vendor-based  logging  formats; 
therefore,  in  order  to  review  all  logs  in  human  readable  format,  organizations  usually 
require  changing  the  various  logs  into  a  common  format  (Kent  &  Souppaya,  2006).  In 
these  circumstances,  log  management  tools  can  help  to  eliminate  different  formats  and 
show  human  readable  logs  to  the  network  administrators. 

Also,  logging  can  provide  information  to  identify  unauthorized  data  breaches.  For 
example,  an  organization  creating  web  applications  for  its  departments  might  use  the  real 
databases  rather  than  test  databases  for  software  test  and  development  purposes,  giving 
database  access  permission  to  their  software  programmers.  In  that  situation,  database 
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query  logs  can  show  how  the  software  developers  are  engaging  with  the  database,  and 
who  among  them  may  be  abusing  their  authority  on  the  system  as  a  potential  insider 
threat. 

B.  NETWORK  AWARENESS  TOOLS 

Considering  the  volume  and  velocity  of  network  traffic  in  modern  cyber  systems, 
administrators  of  these  systems  must  rely  on  sensor  data  to  develop  CSA,  as  described  in 
Chapter  II.  Using  tools  that  can  provide  more  actionable  and  human  readable  data  to 
network  administrators  is  very  important.  There  are  many  network  monitoring  and 
assessment  tools  available  commercially,  with  varying  prices  and  capabilities.  It  is  not 
possible  to  evaluate  all  of  these  tools  in  this  research;  therefore,  this  research  describes 
some  of  the  configuration  and  cyber  security  tools  that  relate  to  and  support  CSA. 

1.  Firewalls 

A  firewall  is  a  network  security  device  or  a  host-based  application  that  monitors 
network  traffic  flow,  then  blocks  or  filters  incoming  and  outgoing  traffic  (packets) 
according  to  predefined  filtering  rules  (West,  Dean,  &  Andrews,  2015,  p.  405).  For 
instance,  the  Windows  operating  system  comes  with  an  integrated  host-based  Windows 
Firewall.  Furthermore,  anti-malware  tools  may  also  contain  a  firewall  that  is  integrated 
within  the  application.  Those  are  examples  of  host-based  firewalls  that  protect  the 
personal  computers  or  servers  on  which  they  are  loaded. 

Protecting  the  entire  network,  however,  requires  network-based  firewalls.  These 
firewalls  are  installed  at  the  entrance  to  the  network  as  a  course  filter  to  protect  the 
network  from  any  externally-induced  malicious  network  behavior.  Routers  are  one 
example  of  network-based  firewalls  since  they  have  the  ability  to  perform  packet  filtering 
(Northrup,  n.d.).  Although  network  firewalls  may  come  preconfigured  to  prevent  most 
common  typical  security  threats,  network  administrators  may  customize  the 
firewall  settings  in  accordance  with  their  network  needs  (West  et  al.,  2015,  p.  406). 

Packet  filtering  is  not  the  only  benefit  of  network-based  firewalls.  There  are 
different  firewalls  that  have  functionality  to  strengthen  network  security,  such  as  logging, 
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encryption,  and  user  authentication  (West  et  al.,  2015,  p.  407).  Since  firewalls  do  not 
block  all  malicious  traffic  on  a  network,  a  logging  capability  can  help  the  network 
administrators  develop  CSA;  for  example,  logs  may  be  reviewed  after  a  security  breach 
to  analyze  the  attacker’s  behaviors  or  to  get  a  clearer  view  of  how  the  attacker  managed 
to  pass  the  firewall  to  gain  access  to  the  system  (Northrup,  n.d.).  This  data  may  help 
network  administrators  to  change  security  configurations  by  adding  new  rule  sets  to  the 
firewall  settings. 

2.  Intrusion  Detection  Systems 

An  intrusion  detection  system  (IDS)  is  a  software  or  hardware  device  that 
monitors  network  traffic  and  produces  alerts  when  a  potential  network  security  incident 
occurs  (West  et  al.,  2015,  p.  402).  The  main  goal  of  an  IDS  is  to  recognize  potential 
network  security  events  (Scarfone  &  Me 11,  2007).  Accordingly,  an  IDS  has  nothing  to  do 
with  prevention  of  an  intrusion,  but  rather  it  raises  alerts  and  logs  the  detection  of  an 
intrusion.  Thus,  an  IDS  provides  necessary  information  to  the  network  administrator  by 
logging  all  probable  incidents,  allowing  the  administrator  to  take  actions  to  mitigate  the 
effects  of  the  potential  attack  (Scarfone  &  Mell,  2007). 

IDS  systems  work  like  a  network  sniffer,  capturing  and  analyzing  packets  as  they 
traverse  the  network.  Understanding  the  security  incidents  from  the  captured  network 
traffic  requires  extra  effort,  as  well  as  practice,  for  a  security  analyst.  However,  an  IDS 
not  only  captures  the  network  traffic,  it  can  examine  the  traffic  from  the  standpoint  of 
network  security  (Snyder,  2009).  Therefore,  IDSs  can  be  tailored  to  adopt  various 
techniques  to  detect  the  security  issues.  An  IDS  can  be  configured  to  utilize  several 
different  methods  of  detection,  such  as  signature-based  or  anomaly-based,  or  through 
stateful  protocol  analysis  (Scarfone  &  Mell,  2007). 

Signature-based  detection  uses  the  same  approach  to  detection  as  anti-virus 
software,  so  that  the  IDS  compares  captured  traffic  to  samples  in  its  database  and 
attempts  to  match  the  known  attack  vectors  with  the  observed  network  packets  (Bradley, 
2016).  However,  this  approach  may  be  inefficient  against  any  unknown  or  new  security 
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threats,  such  as  zero-day  attacks,  whose  presence  is  hidden  until  the  intended  “release 
date.” 

Anomaly-based  detection  is  a  very  powerful  method  to  help  administrators 
become  aware  of  any  new  kind  of  attacks.  Anomaly-based  IDSs  observe  the  network 
over  time  to  create  a  characterization  of  the  network’s  “normal”  behavior.  Then  they 
compare  the  learned  behavior  with  the  current  state  of  the  network  to  find  significant 
changes  or  anomalies  in  traffic  patterns  and  characteristics  (Scarfone  &  Mell,  2007). 

Stateful  protocol  analysis  is  an  entirely  different  approach  that  depends  on  IDS 
vendor- specific  configurations  as  to  how  the  exact  protocols  should  behave  in  the  system 
(Scarfone  &  Mell,  2007).  For  instance,  according  to  this  method  the  IDS  may  alert  any 
connection  to  port  4444;  because  Metasploit,  a  common  hacking  tool,  often  uses  port 
4444  as  a  default,  it  is  highly  likely  that  the  IDS  system  will  detect  and  alert  this  action  as 
potential  exploitation  or  malicious  activity.  Moreover,  network  administrators  can  also 
create  their  personal  security  rules  according  to  their  network  protection  concerns 
regarding  their  cyber  environments. 

In  addition  to  the  detection  methodologies  discussed  earlier,  there  are  two 
categories  of  IDSs:  host-based  (HIDS)  and  network-based  (NIDS).  As  one  can  assume 
from  its  name,  HIDS  operates  on  a  single  machine  in  order  to  protect  that  system.  Most 
probably,  this  machine  is  a  critical  server  for  the  organization,  so  one  may  need  to 
analyze  significant  security  incidents  occurring  on  that  server  by  looking  at  that 
machine’s  HIDS  logs.  NIDS,  conversely,  protect  a  network  by  running  on  a  critical  edge 
of  the  network  so  it  can  monitor  all  incoming  and  outgoing  traffic  (Bradley,  2016),  as 
well  as  traffic  internal  to  the  network.  However,  placing  only  one  NIDS  for  an  extensive 
network  may  have  undesirable  side  effects  for  the  network.  To  illustrate,  if  the 
monitoring  capacity  of  the  NIDS  is  lower  than  the  flowing  traffic,  it  may  miss  important 
security  issues;  so,  it  may  not  alert  for  all  detectable  events.  Eventually,  this  kind  of 
installation  on  a  large  capacity  network  may  leave  the  system  vulnerable  because  it  does 
not  provide  enough  data  to  the  network  administrator.  Therefore,  one  should  use  more 
than  one  NIDS  in  series,  as  necessary,  on  a  larger-scale  network.  For  example,  if  the 
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system  consists  of  a  wireless  network  with  a  demilitarized  zone,  installing  two  different 
NIDSs  for  each  of  those  networks  may  increase  the  network  monitoring  capacity. 

3.  Intrusion  Prevention  Systems 

Intrusion  Prevention  Systems  (IPS)  are  powerful  tools  in  that  they  not  only  have 
the  ability  to  operate  with  the  same  logic  as  IDSs,  but  also  can  prevent  intrusion  incidents 
from  happening.  There  are  different  types  of  IPSs  with  different  capabilities  to  prevent 
attacks.  With  respect  to  these  capabilities,  an  IPS  can  prevent  attacks  by  ending  a 
connection  or  user  session,  changing  the  security  configurations  of  the  system,  or 
changing  malicious  content  (Scarfone  &  Mell,  2007).  For  example,  an  IPS  can  scan 
incoming  emails  and  remove  any  malicious  attachment,  then  permit  the  email  to  reach  its 
receiver  without  the  harmful  attachment  (Scarfone  &  Mell,  2007). 

System  administrators  can  use  IPSs  in  conjunction  with  IDSs.  This  decision 
depends  on  the  organization’s  network  security  policies.  However,  IPSs  may  provide 
robust  security  tools  for  the  network  security.  Due  to  their  capability  for  prevention,  they 
make  it  less  difficult  for  the  network  administrators  to  secure  their  systems.  Obviously, 
some  threats  may  pass  through  the  systems’  prevention  mechanisms;  however,  reducing 
the  number  of  threats  inside  the  system  can  help  network  administrators  concentrate  on 
the  security  issues  that  exist  within  the  network. 

4.  Anti-Virus  Software 

Anti-virus  (AV)  or  anti-malware  software  can  protect  systems  against  malicious 
software  by  using  signature-  or  behavior-based  database  definition  comparisons.  Anti¬ 
virus  software  has  a  predominant  role  in  the  protection  of  organizational  networks.  Even 
though  they  do  not  have  the  ability  to  find  malware  that  does  not  contain  a  signature 
present  in  their  database,  AV  systems  can  prevent  critical  known  security  issues  that  may 
occur  on  a  host.  For  instance,  an  end-user  who  does  not  know  basic  computer  security 
may  insert  a  flash  drive  that  contains  malware  into  the  organization’s  computer  that  does 
not  have  any  anti-virus  protection,  which  may  result  in  that  malware  spreading  through 
the  system.  However,  if  the  system  had  host-based  AV  software  installed,  it  could  detect 
and  eradicate  the  virus. 
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There  are  many  kinds  of  AV  software  available  with  different  features.  For  this 
reason,  network  security  administrators  should  carefully  choose  the  proper  software  for 
own  organizational  needs.  According  to  Jill  West  et  al.,  (2015),  AV  software  should  have 
at  least  these  capabilities: 

•  Detect  malware  through  signature  scanning 

•  Detect  malware  through  integrity  checking 

•  Detect  malware  by  monitoring  unexpected  file  changes  or  virus-like 
behaviors 

•  Receive  regular  updates  and  modifications 

•  Consistently  report  only  valid  instances  of  malware  (p.  418) 

All  of  those  features  can  help  make  the  system  more  secure  against  malware.  Still, 
end-user  awareness  plays  a  major  role  in  malware  protection.  For  instance,  an  attacker 
can  conduct  a  social  engineering  attack  on  the  organization’s  employees  by  sending 
brand-new  malware  as  an  attractive  email  attachment.  Accordingly,  even  the  best 
signature -based  AV  software  cannot  detect  this  malware.  Even  if  only  one  person  opens 
that  attachment,  the  network  administrator’s  efforts  to  secure  the  network  go  for  naught. 

5.  Nagios  XI 

Nagios  XI  is  a  Linux-based  tool  that  contains  many  features  benefiting  IT 
infrastructure  and  managers  by  monitoring  necessary  elements  of  the  network.  Robust 
dashboards  give  initial  access  to  observe  the  data  effectively.  Users  can  customize  the 
layout,  preferences,  and  design  according  to  personal  choice  (“Nagios  XI,”  2016).  To 
increase  awareness,  Nagios  XI  may  send  outage  details  via  email  or  mobile  alerts  to  the 
responsible  personnel  so  that  they  can  solve  the  problem  at  once  (“Nagios  XI,”  2016). 
Figure  4  shows  one  of  the  Nagios  XI  features,  an  example  of  a  network  replay  report, 
which  shows  the  network  devices’  status  over  time.  The  interactive  nodes  in  this  figure 
allow  the  network  administrator  to  understand  the  historical  status  of  each  device 
(“Nagios  XI,”  n.d.). 
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Tt*e  network  replay  displays  the 
histoncal  status  of  network 
devices  (hosts)  over  time,  which  is 
useful  for  understanding  how 
outages  affect  the  overall  health  of 
the  network. 

Use  the  slider  bar  to  move  through 
time.  The  automatic  refresh  may 
be  stopped  or  resumed  using  the 
controls  above.  Click  on  a  node  to 
center  it  and  obtain  status  details. 


Figure  4.  Nagios  XI  Infrastructure  Management  Feature,  Example  of  Network 

Replay  Report.  Source:  “Nagios  XI”  (2016). 

Nagios  XI  also  has  a  powerful  monitoring  engine  that  allows  users  active  and 
extended  monitoring.  Also,  the  tool  has  a  web  interface  and  provides  advanced  graphs  to 
increase  user  visibility  into  the  system  state.  Specifically  for  convenient  configuration  of 
the  network  devices,  Nagios  XI  provides  Configuration  Wizards  to  easily  set  up  devices, 
services,  databases  and  so  on  (“Nagios  XI,”  2016). 

6.  NetCrunch 

NetCrunch  is  a  high  capacity  network-monitoring  tool  that  is  able  to  detect 
network  devices  automatically,  identify  the  device  type,  or  find  out  whether  the  device 
supports  SNMP,  Simple  Network  Management  Protocol  (, NetCrunch ,  n.d.).  Accordingly, 
NetCrunch  can  automatically  build  routing,  logical  network,  and  Data  Link  Layer  (Layer 
2)  maps  ( NetCrunch ,  n.d.).  For  managing  network  devices,  NetCrunch  uses  SNMP 
( NetCrunch ,  n.d.).  NetCrunch  also  has  many  capabilities,  such  as  traffic  monitoring  from 
different  flow  sources,  log  monitoring,  hardware  and  software  inventory  by  which  the 
software  can  show  data  about  installed  patches,  and  alerting  abilities  ( NetCrunch ,  n.d.). 
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NetCrunch  can  run  56  previously  defined  actions  on  remote  hosts,  such  as  rebooting 
machines  or  restarting  services  ( NetCrunch ,  n.d.).  This  program  also  uses  an  alert 
notification  system  via  email  or  text  messages  ( NetCrunch ,  n.d.).  Correspondingly,  it 
shows  current  alerts  in  the  “Pending  Alerts  View”  screen  so  as  to  draw  the  attention  of 
the  users  to  present  network  problems  rather  than  having  to  look  through  the  event  logs 
only  (see  Figure  5). 
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Figure  5.  NetCrunch  Pending  Alerts  View,  Example  Display.  Source: 

“NetCrunch”  (n.d.). 


7.  Solaris  Network  Performance  Monitor 

Solaris  Network  Performance  Monitor  (NPM)  is  a  Windows-based  network 
monitoring  and  management  software  product.  It  has  powerful  features  that  may  help 
network  administrators  increase  their  situational  awareness  of  the  network  devices. 
According  to  Solaris  NPM  website,  some  of  the  features  of  the  software  are: 

•  Customizable  topology  and  dependency-aware  intelligent  alerts 

•  Dynamic  wired  and  wireless  network  discovery  and  mapping 

•  Automated  capacity  forecasting  alerting,  and  reporting 

•  Wireless  network  monitoring  and  management 
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•  Consultant-and  services-free  deployment 

•  Customizable  single-pane-of-glass  network  monitoring  software 

•  Hardware  health  monitoring  and  alerting 

•  Customizable  performance  and  availability  reports 

•  Dynamic  statistical  network  performance  baselines  (“SolarWinds,”  n.d.) 
Monitoring  different  kinds  of  devices  with  the  help  of  these  abilities,  a  network 

administrator  may  have  sufficient  information  about  the  current  situation  of  the  network 
to  respond  quickly  to  network  troubles  that  arises. 

Also,  as  shown  in  Figure  6,  the  ability  to  group  network  nodes  by  vendor  can 
provide  further  information  to  the  administrator  as  to  whether  the  detected  problem  that 
requires  attention  might  be  a  product-based  issue  (“SolarWinds,”  n.d.).  To  illustrate,  if  one 
of  a  vendor’s  products  starts  to  send  more  errors,  this  may  be  the  result  of  a  vulnerability  or 
the  result  of  a  vendor-released  patch  that  is  not  compatible  with  the  system. 


Figure  6.  Solaris  NPM  Network  Availability  and  Performance  Monitoring 
Screenshot.  Source:  “SolarWinds”  (n.d.). 
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8.  Host  Based  Security  System 

The  Host  Based  Security  System  (HBSS)  is  a  DOD  program.  According  to  Mike 
Gawlas  (2009),  the  main  goal  of  this  program  is  “to  provide  network  administrators  and 
security  personnel  with  mechanisms  to  prevent,  detect,  track,  report  and  remediate 
malicious  computer-related  activities  and  incidents  across  all  Defense  Department 
networks  and  information  systems”  (Gawlas,  2009).  Thus,  HBSS  can  enhance  CSA  of 
DOD  systems  by  strengthening  its  command  and  control  over  the  associated  cyber 
systems  (Boland,  2012). 

HBSS  is  a  combination  of  the  network  and  host  based  security  systems  employed 
by  the  DOD  for  each  host  on  the  controlled  networks  (Boland,  2012).  The  system  has  the 
ability  to  allow  the  use  of  only  authorized  software  and  devices  on  the  network  in 
accordance  with  the  predefined  rules  (Gawlas,  2009).  HBSS  has  many  capabilities  to 
maintain  host  security,  such  as  the  ability  to  check  a  host’s  behavior  by  comparing  the 
common  behaviors  of  the  host  with  the  current  authorized  behavior  so  that  the  system 
generates  an  alert  regarding  an  unexpected  activity  (Newth,  2016). 

C.  SUMMARY 

The  goal  of  this  chapter  was  to  develop  an  understanding  of  the  types  of  tools  and 
techniques  necessary  and  available  to  build  and  maintain  secure  networks.  Herein  it  was 
discussed  that  all  of  the  cyber  security  techniques  and  tools  presented  are  helpful  to 
protect  the  associated  networks  and  devices,  as  well  as  to  develop  CSA.  Better  CSA 
serves  to  strengthen  the  security  of  the  cyber  systems.  The  next  chapter  proposes  a  design 
model  for  network  administrators  to  develop  and  maintain  CSA  using  the  tools  and 
techniques  presented  in  this  chapter. 
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IV.  CYBER  SITUATIONAL  AWARENESS  MODEL  DESIGN 


Access  to  data  is  becoming  more  and  more  digitalized,  however,  the  rapid 
increase  in  volume  of  digital  information  used  by  commercial  and  government 
enterprises  has  necessitated  new,  more  robust,  and  powerful  information  systems  to  store, 
process,  and  analyze  this  data.  Hard  disks,  software,  computer  processors,  and  other 
computer  technologies  are  growing  rapidly  in  order  to  handle  and  store  all  this  emerging 
data.  New  technologies  and  systems  continue  to  appear,  such  as  cyber-rich  networks, 
cloud  environments,  the  Internet  of  Things,  artificial  intelligence,  and  so  on.  As  users’ 
data  requirements  grow  more  complex,  they  demand  information-dependent  technologies 
that  are  interdependent  with  one  other.  At  the  same  time,  this  growth  in  data  systems 
technology  is  also  placing  greater  demands  on  security  to  protect  the  valuable  data  within 
these  systems.  The  transportation,  maintenance,  and  protection  of  such  data  require 
significant  resources.  Automation  processes  and  tools  are  being  leveraged  by  enterprises 
to  address  these  requirements  by  using  similar  information  technologies  to  analyze  the 
data  of  interest.  However,  the  complexity  of  the  automation  processes  themselves  also 
produces  more  raw  data  to  be  assessed  by  human  decision  makers,  inevitably  adding  to 
the  complexity  of  the  network  administrator’s  role.  It  is  critical  that  enterprises  have 
complete  and  accurate  situational  awareness  of  their  systems  to  support  to  proper 
decision  making. 

As  discussed  in  Chapter  II,  CSA  is  of  crucial  importance  to  securing  cyber 
systems.  Most  CSA  tools  help  cyber  security  professionals  by  initiating  alerts,  warning 
messages,  and  log  entries,  while  some  tools,  like  IPSs,  protect  the  systems  themselves 
against  cyber  threats.  However,  security  reports  such  as  Symantec’s  2016  Internet 
Security  Threat  Report  show  that  security  threats  are  not  decreasing  with  respect  to  the 
bulk  of  the  tools.  Instead,  the  number  of  threats  is  significantly  increasing. 

Oftentimes,  an  expert  cyber  security  professional  is  effectively  a  novice  user 
when  a  new  technology  is  introduced.  Developing  CSA  by  utilizing  tools  remains  limited 
without  enhancing  human  understanding.  This  requires  users  to  continuously  cultivate 
and  maintain  CSA. 
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Making  decisions  based  on  sensor  data  is  necessary  to  protect  cyber  systems; 
however,  this  is  not  always  sufficient.  Since  a  cyber  system  may  consist  of  many  entities, 
focusing  on  it  as  only  one  entity  is  not  sufficient.  Yet,  the  complexity  of  the  integrated 
cyber  systems  within  a  network  does  not  lend  itself  to  discussion  that  treats  each 
component  separately.  Accordingly,  understanding  a  complex  system  by  dividing  it  into 
its  hierarchical  elements  might  yield  more  timely  and  accurate  decisions.  Therefore,  to 
develop  better  CSA  of  cyber  networks  and  systems,  one  should  start  by  understanding 
them  from  end-to-end  by  developing  a  new  CSA  model. 

A.  CYBER  SITUATIONAL  AWARENESS  PYRAMID 

Considering  the  importance  of  CSA  with  respect  to  the  decision-making  process, 
it  is  clear  that  it  should  be  analyzed  from  multiple,  hierarchical  perspectives  regarding 
cyber  security.  Just  as  dividing  systems  into  different  components  reduces  their 
complexity,  using  an  incremental  approach  to  CSA  may  help  to  reduce  the  logical 
complexity  of  the  cyber  systems  of  interest,  thus  improving  our  understanding  of  these 
components  parts  and  contributing  to  improved  CSA. 

We  define  CSA  as  being  composed  of  configurational  awareness,  operational 
awareness,  and  special  conditions  awareness.  If  one  can  clearly  identify  and  implement 
the  goals  of  each  of  these  parts  of  a  cyber  system,  one  can  approach  absolute  awareness 
of  cyber  security.  The  component  parts  of  CSA  are  hierarchical  in  their  nature,  and  can 
be  envisioned  as  a  pyramid,  as  shown  in  Figure  7. 
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As  each  level  of  the  pyramid  is  accomplished  well,  the  administrator’s  CSA 
increases,  reducing  the  logical  complexity  of  the  system.  This  then  allows  the  decision 
maker  to  focus  on  the  next  level.  Finally,  reaching  the  top  level,  the  administrator  may 
achieve  maximum  CSA  of  the  system.  Without  achieving  the  lower  levels,  it  is  not 
possible  to  develop  CSA  at  the  next  level.  When  a  lower  level  has  unresolved  problems 
associated  with  it,  the  administrator  will  be  unable  to  identify  or  resolve  problems 
associated  with  the  next  level. 

1.  Configurational  Awareness 

Configurational  awareness  (CA)  is  the  base  of  the  CSA  pyramid;  it  represents  the 
reality  that  the  configuration  is  the  foundation  of  information  system  security.  Without  a 
proper  configuration  policy,  maintaining  secure  and  reliable  cyber  systems  would  not  be 
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possible.  Building  better  configuration  management  of  a  system  reduces  the  security  risks 
to  that  system. 

As  discussed  earlier,  CSA  depends  on  the  data  that  sensors  produce  continuously. 
Sensors  tend  to  produce  more  data  in  a  poorly  configured  system  than  they  do  in  a  well 
configured  one;  for  example,  a  system  without  a  proper  configuration  easily  becomes 
vulnerable.  This  tends  to  increase  false  positive  sensor  data,  such  as  with  IDSs,  which  can 
lead  administrators  to  make  poor  decisions  as  they  could  miss  critical  valid  data  due  to 
the  complexity  and  chaos  of  the  information  being  received.  Eventually,  this  overload  of 
invalid  data  due  to  poor  system  configuration  results  in  the  administrator’s  CSA 
decreasing  dramatically.  However,  in  a  converse  scenario,  an  administrator  of  a  well- 
configured  system  does  not  have  to  cope  with  configuration-related  data.  When  the 
system  is  properly  configured  according  to  best  practices,  the  administrator  is  able  to 
focus  on  the  operational  level  of  awareness  because  the  system’s  configuration  generates 
less  distracting  invalid  sensor  data.  Thus,  it  is  easier  for  the  network  administrator  to 
comprehend  the  activity  of  the  network  associated  with  operations. 

Sometimes  well-configured  networks  can  also  have  problems  caused  by  human 
errors  introduced  to  the  configuration  process.  The  solution  to  this  problem  is  to  monitor 
the  system  configuration  by  implementing  network  configuration  management  tools. 
These  tools  not  only  provide  necessary  information  about  the  system  configuration  but 
also  help  to  configure  all  of  the  network  devices,  thus  enabling  administrators  to  focus  on 
the  upper  levels  of  the  CSA  pyramid. 

2.  Operational  Awareness 

Cyber  security  must  continuously  identify  each  threat,  block  each  threat,  and  then 
address  the  vulnerability  that  is  the  root  cause  of  the  risk  associated  with  the  threat.  In  the 
operational  awareness  (OA)  level  of  CSA,  cyber  security  tools  help  to  identify  threats  to 
the  system.  Tools  such  as  IDS,  firewalls,  or  anti-virus  software  provide  operational 
warnings  and  log  entries  while  the  system  is  in  operation.  Threats  identified  by  such  tools 
help  the  administrator  eliminate  and  block  these  threats.  The  administrator  may  do  this  by 
deleting  malicious  software,  blocking  an  IP  address,  or  changing  the  configuration  of  the 
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system.  This  threat  detection  and  prevention  is  a  continuing  process,  depending  on  the 
emergence  of  threat  during  the  system’s  operation. 

As  described  in  the  CA  component  of  CSA  pyramid,  administrators  of  a  well- 
configured  system  can  more  effectively  focus  on  the  most  critical  issues  in  OA. 
Automation  plays  a  critical  role  in  accomplishing  this  in  OA.  Correctly  configured  IPSs, 
or  other  cyber  security  automation  tools,  may  do  a  significant  portion  of  the  job  without 
human  interaction.  So,  the  administrator  can  focus  on  more  relevant  and  critical  sensor 
data  to  analyze  it  in  terms  of  cyber  security.  Thus,  automation  helps  to  decrease  the 
amount  of  unnecessary  data  requiring  manual  inspection.  Though  these  tools  may  come 
with  a  default  set  of  configurations,  they  still  require  custom  configuration  with  respect  to 
the  system  they  support  and  for  expected  or  emerging  threat  patterns.  Eventually,  a 
proper  and  accurate  configuration  of  these  tools  enhances  system  security  by  supporting 
the  administrator’s  OA. 

3.  Special  Conditions  Awareness 

The  CA  and  OA  components  of  CSA  focus  primarily  on  administrator  level  CSA. 
One  should  not  neglect,  however,  the  user  level  of  awareness  as  being  critical  to  overall 
CSA;  this  user  level  is  captured  by  special  conditions  awareness  (SCA).  SCA  is  the 
uppermost  level  of  the  CSA  pyramid,  as  without  CA  and  OA  the  network  administrator 
may  not  be  able  to  detect  risk  behaviors  by  system  users,  such  as  inserting 
unauthenticated  removable  media  into  system  devices  or  attempting  to  install  suspicious 
and  unnecessary  software.  Even  correctly  configured  and  protected  systems  might  be 
compromised  if  this  level  of  CSA  is  not  achieved. 

It  is  not  possible  to  define  all  of  the  special  conditions  that  might  expose  a  cyber 
system  to  attacks  or  persistent  threats  because,  as  the  systems  evolve,  new  threats  may 
appear.  Even  the  best  cyber  security  tools  that  focus  on  CA  and  OA  may  not  be  able  to 
identify  all  types  of  threats  that  may  appear  to  the  user  system;  thus,  there  is  no  absolute 
cyber  security  level  achieved  without  developing  and  maintaining  user  level  CSA.  To 
illustrate  this  point,  consider  a  secure  network  in  which  security  tools  and  techniques  are 
employed  to  protect  its  perimeter.  Even  a  system  like  this  may  not  be  entirely  secure,  as 
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human  users  are  utilizing  the  system.  An  aggressive,  well- structured  phishing  attack  may 
result  in  even  a  trained  user  dropping  his  guard  and  releasing  information  to  the  attacker 
that  could  result  in  system  compromise. 

Curiosity,  desires,  and  other  behaviors  associated  with  human  nature  make  cyber 
systems  vulnerable  to  insider  threats.  However,  if  users  with  higher  CSA  realize 
something  is  happening  within  their  cyber  environment  and  report  suspicious  activity  to 
the  administrators,  these  users  can  make  a  real  difference  in  the  overall  security  of  the 
system.  So,  even  non-expert  users  receiving  security-related  training  and  experience  is  as 
vital  as  properly  trained  system  administrators. 

B.  SUMMARY 

This  chapter  has  presented  a  model  of  cyber  situational  awareness  based  on  a 
pyramid  concept  of  interrelated  levels  of  SA  for  cyber  systems  and  the  networks  that  they 
protect.  The  model  suggests  that  three  hierarchical  levels  of  SA  contribute  to  developing 
better  CSA.  The  model  divides  CSA  into  three  distinct  levels  to  better  understand, 
maintain,  and  improve  awareness  over  networked  systems.  These  levels  are 
configurational  awareness,  operational  awareness,  and  special  conditions  awareness. 
Without  achieving  awareness  at  the  lowest  level  of  the  model,  the  administrator  will  have 
difficulty  improving  the  upper  levels  of  awareness.  Therefore,  these  levels  of  awareness 
must  be  achieved  from  the  bottom  up  to  affect  the  network  administrator’s  CSA. 
Achieving  all  levels  of  the  CSA  pyramid  directly  supports  the  goal  of  achieving  absolute 
security  in  cyber  systems. 
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V.  CONCLUSION  AND  FUTURE  WORK 


A.  SUMMARY  AND  CONCLUSION 

The  purpose  of  this  research  was  to  understand  cyber  situational  awareness  with 
regard  to  the  perspective  of  network  administrators,  to  help  shed  light  on  the 
requirements  of  training  for  cyber  security  professionals.  The  research  argued  that 
improving  administrators’  CSA  may  help  to  better  secure  cyber  systems.  Continuous 
monitoring  of  cyber  systems  is  critical  to  achieving  that  goal.  To  this  end,  administrators 
benefit  from  informed,  experienced  use  of  available  network  tools  and  best  practices  and 
techniques. 

To  promote  the  understanding  of  CSA,  this  research  first  discussed  the  concepts 
of  situational  awareness  as  they  pertain  to  management  and  use  of  cyber  systems.  Next, 
the  research  surveyed  some  of  the  tools  and  techniques  pertinent  to  generating  CSA. 
Finally,  the  research  proposed  a  CSA  development  model  in  order  to  guide  the 
establishment  and  maintenance  of  effective  CSA  of  network  administrators  and  users 
whose  principal  responsibility  is  the  operation  of  cyber  systems. 

There  are  many  cyber  security  and  network  monitoring  tools  available,  each  with 
many  different  features.  Some  enhance  cyber  system  oversight  by  automatically  detecting 
or  preventing  external  attacks  and  reducing  the  number  of  threats  to  reach  the  inside  of 
the  systems.  Still,  these  do  not  provide  enough  protection  against  novel  threats,  which  are 
the  most  dangerous  ones.  Such  threats  require  human  analysis  of  the  sensor  data. 
Additionally,  cyber  security  and  network  monitoring  tools  may  produce  significant 
volumes  of  data,  potentially  more  than  the  human  brain  can  effectively  comprehend.  The 
velocity  of  the  data  also  makes  it  more  difficult  to  maintain  awareness  of  the  critical 
cyber  security  data  inherent  in  a  complex  system  with  complex  data. 

The  research  aimed  to  decrease  this  complexity  by  proposing  the  CSA  pyramid. 
This  pyramid  consists  of  three  levels,  depicting  a  hierarchy  of  addressing  security  threats: 
configurational  awareness,  operational  awareness,  and  special  conditions  awareness. 
These  levels  of  awareness,  addressed  from  bottom  to  top,  seek  to  improve  system 


37 


administrators’  CSA.  The  ultimate  goal  of  this  model  is  to  support  the  achievement  of 
absolute  cyber  security  through  human  interaction  with  proper  security  tools  and 
techniques.  Also,  the  research  concludes  that  administrator  CSA  is  not  enough  for 
absolute  security;  system  user  CSA  also  must  be  supported  by  the  model.  This  result 
shows  that  continued  user  training  is  as  critical  to  system  security  as  is  network 
administrator  training. 

B.  FUTURE  WORK 

The  research  benefits  the  MAVNATT  awareness  module  by  defining  CSA  and  a 
model  that  may  guide  the  development  of  both  administrator  and  user  CSA.  MAVNATT 
does  not  currently  have  an  awareness  module  implemented.  Additional  research  may 
build  this  module  for  MAVNATT  by  employing  the  proposed  CSA  model. 

Using  machine  learning  to  automate  threat  protection  processes  may  help  to 
develop  a  more  secure  cyber  system  by  enabling  administrators  to  focus  may  effectively 
on  the  higher  levels  of  CSA.  Conducting  research  to  implement  machine-learning 
algorithms  as  new  tools  for  the  generation  of  CSA  may  improve  the  cyber  security  of 
systems  of  interest.  Further,  artificial  intelligence  is  a  powerful  concept  in  information 
technology.  Therefore,  new  research  should  look  into  how  to  use  artificial  intelligence  to 
develop  CSA. 

Human  interaction  with  cyber  systems  is  not  making  networks  and  their 
components  safer.  User  activities,  such  as  unwittingly  opening  email  attachments  or 
using  flash  drives  containing  malware,  are  some  of  the  causes  of  cyber- attacks.  Reducing 
human  interaction  by  implementing  virtual  systems,  such  as  that  envisioned  by 
MAVNATT,  may  reduce  risks  introduced  by  system  users.  Therefore,  host-based 
systems  that  examine  the  data  in  a  virtual  environment  before  opening  it  in  the  real 
environment  may  reduce  the  security  risks  by  increasing  the  user’s  understanding  of  the 
potentially  catastrophic  effects  of  poor  cyber  situational  unawareness.  Research  into  this 
area  can  make  a  real  difference  in  overall  network  security. 
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CSA  training  is  becoming  compulsory  in  many  critical  organizations.  Research 
about  how  to  test  the  effectiveness  of  this  training  may  help  to  improve  current  training 
methods. 

Information  technology  is  significantly  evolving  as  discussed  in  this  research.  The 
Internet  of  Things  (IoT)  is  an  example  of  this  evolving  technology.  As  IoT  poses 
increasing  vunerabilities  to  established  systems  by  presenting  new  vectors  of  exposure, 
the  security  of  IoT  also  presents  increased  cyber  security  concerns;  it  poses  new 
opportunities  to  conduct  research  about  configurational  and  operational  awareness  of 
CSA. 
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